import * as plugins from '../plugins.ts'; import { logger } from '../logging.ts'; import { getErrorMessage } from '../utils/error.ts'; import { OneboxDatabase } from './database.ts'; import type { IDomain, IService } from '../types.ts'; type TWorkHosterType = 'onebox'; interface IExternalGatewayConfig { url: string; apiToken: string; gatewayClientId: string; /** @deprecated Use gatewayClientId. */ workHosterId: string; targetHost?: string; targetPort?: number; } interface IWorkHosterDomain { id?: string; name: string; source?: 'dcrouter' | 'provider'; authoritative?: boolean; providerId?: string; serviceCount?: number; managePath?: string; manageUrl?: string; capabilities?: { canCreateSubdomains: boolean; canManageDnsRecords: boolean; canIssueCertificates: boolean; canHostEmail: boolean; }; } interface IGatewayDnsRecord { id: string; domainId: string; domainName?: string; name: string; type: string; value: string; ttl: number; source: string; status: 'active' | 'missing'; gatewayClientType: 'onebox' | 'cloudly' | 'custom'; gatewayClientId: string; appId: string; hostname: string; routeId?: string; serviceName?: string; managePath?: string; manageUrl?: string; } interface IWorkAppRouteOwnership { workHosterType: TWorkHosterType; workHosterId: string; workAppId: string; hostname: string; } interface IGatewayClientOwnership { gatewayClientType: TWorkHosterType; gatewayClientId: string; appId: string; hostname: string; } interface IWorkAppRouteSyncResult { success: boolean; action?: 'created' | 'updated' | 'deleted' | 'unchanged'; routeId?: string; message?: string; } interface IDcRouterCertificateExport { success: boolean; cert?: { id: string; domainName: string; created: number; validUntil: number; privateKey: string; publicKey: string; csr: string; }; message?: string; } interface IDcRouterRouteConfig { name: string; match: { ports: number[]; domains: string[]; }; action: { type: 'forward'; targets: Array<{ host: string; port: number }>; tls: { mode: 'terminate'; certificate: 'auto'; }; websocket: { enabled: boolean; }; }; } export class ExternalGatewayManager { private database: OneboxDatabase; constructor(private oneboxRef: any) { this.database = oneboxRef.database; } public async init(): Promise { if (!(await this.isConfigured())) { logger.info('External dcrouter gateway not configured'); return; } await this.syncDomains(); } public async isConfigured(): Promise { const config = await this.getConfig({ requireTarget: false }); return Boolean(config); } public async syncDomains(): Promise { if (!(await this.isConfigured())) { return this.database.getDomainsByProvider('dcrouter'); } const response = { domains: await this.getGatewayDomains() }; const activeDomainNames = new Set(); const now = Date.now(); for (const gatewayDomain of response.domains) { const domainName = gatewayDomain.name.trim().toLowerCase(); if (!domainName) continue; activeDomainNames.add(domainName); const existingDomain = this.database.getDomainByName(domainName); const defaultWildcard = gatewayDomain.capabilities?.canIssueCertificates !== false; if (existingDomain) { this.database.updateDomain(existingDomain.id!, { dnsProvider: 'dcrouter', isObsolete: false, defaultWildcard, updatedAt: now, }); } else { this.database.createDomain({ domain: domainName, dnsProvider: 'dcrouter', isObsolete: false, defaultWildcard, createdAt: now, updatedAt: now, }); } } for (const domain of this.database.getDomainsByProvider('dcrouter')) { if (!activeDomainNames.has(domain.domain)) { this.database.updateDomain(domain.id!, { isObsolete: true, updatedAt: now, }); } } logger.success(`Synced ${activeDomainNames.size} domain(s) from external dcrouter gateway`); return this.database.getDomainsByProvider('dcrouter'); } public async getGatewayDomains(): Promise { const config = await this.getConfig({ requireTarget: false }); if (!config) return []; try { const response = await this.fireDcRouterRequest<{ domains: IWorkHosterDomain[] }>( 'getGatewayClientDomains', { gatewayClientId: config.gatewayClientId }, config, ); return response.domains.map((domain) => ({ ...domain, manageUrl: this.buildManageUrl(config, domain.managePath), })); } catch (error) { logger.debug(`Falling back to legacy gateway domain API: ${getErrorMessage(error)}`); const response = await this.fireDcRouterRequest<{ domains: IWorkHosterDomain[] }>( 'getWorkHosterDomains', {}, config, ); return response.domains.map((domain) => ({ ...domain, manageUrl: this.buildManageUrl(config, domain.managePath), })); } } public async getGatewayDnsRecords(): Promise { const config = await this.getConfig({ requireTarget: false }); if (!config) return []; try { const response = await this.fireDcRouterRequest<{ records: IGatewayDnsRecord[] }>( 'getGatewayClientDnsRecords', { gatewayClientId: config.gatewayClientId }, config, ); return response.records.map((record) => ({ ...record, serviceName: record.serviceName || record.appId, manageUrl: this.buildManageUrl(config, record.managePath), })); } catch (error) { logger.warn(`Failed to fetch gateway DNS records: ${getErrorMessage(error)}`); return []; } } public async syncServiceRoute(service: IService): Promise { if (!service.domain) return; const config = await this.getConfig({ requireTarget: true }); if (!config) return; const result = await this.fireDcRouterRequest( 'syncGatewayClientRoute', { ownership: this.buildGatewayClientOwnership(service, service.domain, config), route: this.buildRoute(service, config), enabled: service.status === 'running', }, config, ).catch(async () => { return await this.fireDcRouterRequest( 'syncWorkAppRoute', { ownership: this.buildOwnership(service, service.domain!, config), route: this.buildRoute(service, config), enabled: service.status === 'running', }, config, ); }); if (!result.success) { throw new Error(result.message || `dcrouter route sync failed for ${service.domain}`); } logger.success(`External gateway route ${result.action || 'synced'} for ${service.domain}`); await this.importCertificateForDomain(service.domain).catch((error) => { logger.debug(`External gateway certificate import skipped for ${service.domain}: ${getErrorMessage(error)}`); }); } public async deleteServiceRoute(service: Pick): Promise { if (!service.domain) return; const config = await this.getConfig({ requireTarget: false }); if (!config) return; const result = await this.fireDcRouterRequest( 'syncGatewayClientRoute', { ownership: this.buildGatewayClientOwnership(service, service.domain, config), delete: true, }, config, ).catch(async () => { return await this.fireDcRouterRequest( 'syncWorkAppRoute', { ownership: this.buildOwnership(service, service.domain!, config), delete: true, }, config, ); }); if (!result.success) { throw new Error(result.message || `dcrouter route delete failed for ${service.domain}`); } logger.info(`External gateway route ${result.action || 'deleted'} for ${service.domain}`); } public async importCertificateForDomain(domain: string): Promise { const config = await this.getConfig({ requireTarget: false }); if (!config) return false; const result = await this.fireDcRouterRequest( 'exportCertificate', { domain }, config, ); if (!result.success || !result.cert) { return false; } const now = Date.now(); const existingCertificate = this.database.getSSLCertificate(domain); if (existingCertificate) { this.database.updateSSLCertificate(domain, { certPem: result.cert.publicKey, keyPem: result.cert.privateKey, fullchainPem: result.cert.publicKey, expiryDate: result.cert.validUntil, updatedAt: now, }); } else { await this.database.createSSLCertificate({ domain, certPem: result.cert.publicKey, keyPem: result.cert.privateKey, fullchainPem: result.cert.publicKey, expiryDate: result.cert.validUntil, issuer: 'dcrouter', createdAt: now, updatedAt: now, }); } await this.oneboxRef.reverseProxy.reloadCertificates(); logger.success(`Imported external gateway certificate for ${domain}`); return true; } private async getConfig(options: { requireTarget?: boolean } = {}): Promise { const url = this.normalizeUrl(this.database.getSetting('dcrouterGatewayUrl') || ''); const apiToken = await this.database.getSecretSetting('dcrouterGatewayApiToken'); if (!url || !apiToken) { return null; } const gatewayClientId = this.ensureGatewayClientId(); const config: IExternalGatewayConfig = { url, apiToken, gatewayClientId, workHosterId: gatewayClientId, }; if (options.requireTarget !== false) { config.targetHost = this.database.getSetting('dcrouterTargetHost') || this.database.getSetting('serverIP') || undefined; const targetPort = this.parsePort( this.database.getSetting('dcrouterTargetPort') || this.database.getSetting('httpPort') || '80', ); config.targetPort = targetPort; if (!config.targetHost) { throw new Error('dcrouterTargetHost or serverIP must be configured for external gateway route sync'); } } return config; } private async requireConfig(options: { requireTarget?: boolean } = {}): Promise { const config = await this.getConfig(options); if (!config) { throw new Error('External dcrouter gateway is not configured'); } return config; } private normalizeUrl(url: string): string { const trimmedUrl = url.trim().replace(/\/+$/, ''); if (!trimmedUrl) return ''; if (/^https?:\/\//.test(trimmedUrl)) return trimmedUrl; return `https://${trimmedUrl}`; } private parsePort(portValue: string): number { const port = Number(portValue); if (!Number.isInteger(port) || port < 1 || port > 65535) { throw new Error(`Invalid dcrouter target port: ${portValue}`); } return port; } private ensureGatewayClientId(): string { let gatewayClientId = this.database.getSetting('dcrouterGatewayClientId') || this.database.getSetting('dcrouterWorkHosterId'); if (!gatewayClientId) { gatewayClientId = crypto.randomUUID(); this.database.setSetting('dcrouterGatewayClientId', gatewayClientId); } return gatewayClientId; } private buildOwnership( service: Pick, hostname: string, config: IExternalGatewayConfig, ): IWorkAppRouteOwnership { return { workHosterType: 'onebox', workHosterId: config.gatewayClientId, workAppId: service.name || `service-${service.id}`, hostname, }; } private buildGatewayClientOwnership( service: Pick, hostname: string, config: IExternalGatewayConfig, ): IGatewayClientOwnership { return { gatewayClientType: 'onebox', gatewayClientId: config.gatewayClientId, appId: service.name || `service-${service.id}`, hostname, }; } private buildRoute(service: IService, config: IExternalGatewayConfig): IDcRouterRouteConfig { return { name: this.routeName(service.domain!), match: { ports: [443], domains: [service.domain!], }, action: { type: 'forward', targets: [{ host: config.targetHost!, port: config.targetPort! }], tls: { mode: 'terminate', certificate: 'auto', }, websocket: { enabled: true, }, }, }; } private routeName(domain: string): string { return `onebox-${domain.replace(/[^a-zA-Z0-9]+/g, '-').replace(/^-|-$/g, '')}`; } private buildManageUrl(config: IExternalGatewayConfig, managePath?: string): string { const normalizedPath = managePath?.startsWith('/') ? managePath : managePath ? `/${managePath}` : ''; return `${config.url}${normalizedPath}`; } private async fireDcRouterRequest( method: string, requestData: Record, config: IExternalGatewayConfig, ): Promise { const typedRequest = new plugins.typedrequest.TypedRequest( `${config.url}/typedrequest`, method, ); return await typedRequest.fire({ ...requestData, apiToken: config.apiToken, }) as TResponse; } }